Is validation required for all excel spreadsheet

We are using a excel spreadsheet to provide CAPA numbers and to track their status. A audit finding suggested that the spreadsheet needed validating. Is there a FDA requirement for this.

Yes there is, this is part of your quality management system so the information needs to be fulled validated.

I agree with Graham, but don’t forget that you can scale your validation based on a risk analysis. Based on just your brief description, I would say the validation would be pretty minimal.

Yes Yodon I agree, spreadsheet validation is minimal I have often performed spreadsheet validation using one document with everything included.

Hi Barbara

All spreadsheets used for manipulating or storing regulatory controlled data require to be validated. If you search among the warning letters you will find hundreds of citations for none validated speadsheets.

The basic problem is security - can the data be edited - without the identity of the edit being recorded and without over writing the original.

Excel has been long debated in the regulatory world and it is not validatable, that s the regulatory stand point - contest it if you want.

It is much simpler to obtain a spreadsheet that is validatable. There are several we have used over the last few years. I cannot recall them off hand, however if your stuck, email me and I will dig out a reference for you.


Alex Kennedy

Ah, a very simple question, with a very complex answer. Allow me to segregate the issues, as I see them, and provide some perspective.

Spreadsheet Validation
Spreadsheets are unique animals in that they can contain customized functionality in the form of cell calls, calculations, logic, and macros within the file. In this regard they can be considered mini programs. So, to me, the first issue is what customized functionality is being utilized within the Spreadsheet file.
● If you are using IF statements, performing calculations for durations, or using custom macros to control access, then you would need to follow an established SDLC and validate the spreadsheet functionality within the file in accordance with defined use.
● If you are using the spreadsheet as a list to track status, and only using functionality provided by the application (Excel), mainly search, sort, and filter, then you would not validate the spreadsheet file. The key here is where the functionality resides (and validation activies need to occur), which in this scenario is within the application, not the file. (Validating Excel is a conversation I will forgo at this juncture.)

Electronic Record
The second issue is to determine if it is a required record. And based upon the information provided by the question, it is plausible that this spreadsheet is nothing more than a record. Since no information was provided with respect to this element, I’ll rely on the area in which I am currently working. 21 CFR Sec. 820.100.b states, “All activities required under this section, and their results, shall be documented.” So, there is a predicate rule requirement for this and since it is a spreadsheet, it then falls under 21 CFR Part 11. As such, the controls and mechanisms related to electronic records apply.

There are several scenarios by which a solution may be provided:
● Excel (native application) has no security control mechanisms or audit trail functionality that can be applied to resolve the issues around Part 11, as Alex already indicated.
● Wrapper Solutions –two types
o Macro-based shells in which the code is contained within the spreadsheet file. This solution is usually used for spreadsheets that perform calculations and may not be appropriate here. They typically control the ability to save, modify, and print the file and contain no audit train functionality. This scenario would require validation of the code (macro) and would be performed at the spreadsheet file level.
o Generic shell, like that provided by ComplinaceBuilder, in which the application resides on the desktop and intercepts in the read/write I/O and interfaces with a database. These applications have the ability to control access and document an audit trail. As such, this option would require validation at the application level.
● Document Management Systems are widely used within the industry to control access and provide audit trail functionality. Documentum, LiveLink, and even CyberLab can fill this role. This scenario would be validatable at the application level.

With all of that being said, there are two more points I would like to make. First, please don’t take this as an endorsement of any of the applications I’ve mentioned above. I’ve worked with all of them and more and would be happy to provide a more complete list of options off-line, if you wish. Second, may I suggest that you consider an alternative solution to this problem. There are commercial applications, such as TrackWise or SmartSolve, that are intended to provide this functionality and more. Also, consider using an Access database (see Validation of MS Access Databases article) with a web front-end.


[quote=RTMcFadden]There are commercial applications, such as TrackWise or SmartSolve, that are intended to provide this functionality and more. Also, consider using an Access database (see Validation of MS Access Databases article) with a web front-end.

Thanks RTMcFadden.

That reminds me of an article I put together last year dealing with CAPA vendors have a look.